On Thu, Feb 28, 2013 at 10:38 AM, root <[email protected]> wrote: > hi > > OK,i konw that,thks. > but now i have a new problem > if i want assign non-zero value tigger alert,how can i do? > in the rules,i write > > "submitted=([^0]+)" > or > "submitted=([1-9]+)" > > all wrong! >
As you saw from the OSSEC regex documentation you looked at, you know there's no real way to do that. You could create rules to handle this, but the decoder won't be able to. > > > > > > thanks&Best Regards > > 发件人: dan (ddp) > 发送时间: 2013-02-28 22:13 > 收件人: ossec-list > 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax > On Thu, Feb 28, 2013 at 7:15 AM, root <[email protected]> wrote: >> >> so,thks >> >> i think that "extra_data" can match in rules after at <regex> >> :( >> >> > > > The problem is that you are not populating extra_data in your decoder. > You said you are using the following decoder: > > <decoder name="rsyslog-pstats"> > <program_name>^rsyslogd-pstats</program_name> > </decoder> > > So running the log message through ossec-logtest with that decoder produces: > 2013/02/28 09:02:42 ossec-testrule: INFO: Reading local decoder file. > 2013/02/28 09:02:42 ossec-testrule: INFO: Started (pid: 7873). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: '2013-02-27T19:06:08.807161+08:00 localhost > rsyslogd-pstats: imudp(*:514): submitted=0' > hostname: 'localhost' > program_name: 'rsyslogd-pstats' > log: 'imudp(*:514): submitted=0' > > **Phase 2: Completed decoding. > decoder: 'rsyslog-pstats' > > As you can see there is no extra_data field in Phase 2. > I think the decoder I provided the other day looked something like this: > <decoder name="rsyslog-pstats"> > <program_name>^rsyslogd-pstats</program_name> > <regex>^\S+\p\S+:\d+\p: submitted=(\d+)$</regex> > <order>extra_data</order> > </decoder> > > Using this decoder and the same log message I now get: > 2013/02/28 09:06:17 ossec-testrule: INFO: Reading local decoder file. > 2013/02/28 09:06:17 ossec-testrule: INFO: Started (pid: 19646). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: '2013-02-27T19:06:08.807161+08:00 localhost > rsyslogd-pstats: imudp(*:514): submitted=0' > hostname: 'localhost' > program_name: 'rsyslogd-pstats' > log: 'imudp(*:514): submitted=0' > > **Phase 2: Completed decoding. > decoder: 'rsyslog-pstats' > extra_data: '0' > > As you can see the extra_data is now populated in Phase 2, and it > should be available for use in rules. > > If you want to create an alert for 0 submitted widgets, you could do > something like this: > <rule id="200001" level="7"> > <decoded_as>rsyslog-pstats</decoded_as> > <extra_data>0</extra_data> > <description>0 widgets!</description> > </rule> > > >> thanks&Best Regards >> >> 发件人: dan (ddp) >> 发送时间: 2013-02-28 19:32 >> 收件人: ossec-list >> 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax >> >> >> On Feb 28, 2013 6:26 AM, "root" <[email protected]> wrote: >>> >>> hi >>> >>> about this problem,look this >>> >>> my decoder is >>> >>> >>> <decoder name="rsyslog-pstats"> >>> <program_name>^rsyslogd-pstats</program_name> >>> </decoder> >>> >> >> You aren't decoding an extra_data entey here, so your rule will never >> match. >> The second example I wrote for you decoded this properly. >> >>> my testrule is >>> >>> <group name="local,rsyslog,"> >>> <rule id="1050001" level="7"> >>> <decoded_as>rsyslog-pstats</decoded_as> >>> <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex> >>> <extra_data>0</extra_data> >>> <description>Rsyslog Failed</description> >>> </rule> >>> </group> >>> >>> >>> log test >>> >>> [root@localhost bin]# ./ossec-logtest >>> 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. >>> 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). >>> ossec-testrule: Type one log per line. >>> >>> 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: >>> processed=0 failed=0 >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: '2013-02-27T19:06:08.807156+08:00 localhost >>> rsyslogd-pstats: action 7: processed=0 failed=0' >>> hostname: 'localhost' >>> program_name: 'rsyslogd-pstats' >>> log: 'action 7: processed=0 failed=0' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'rsyslog-pstats' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '1002' >>> Level: '2' >>> Description: 'Unknown problem somewhere in the system.' >>> >>> >>> so,i think the rules has wrong,but i don't konw,what wrong with rule? >>> >>> >>> >>> thanks&Best >>> Regards >>> 发件人: root >>> 发送时间: 2013-02-28 15:40 >>> 收件人: ossec-list >>> 主题: 回复: about ossec rules Regular Expression Syntax >>> >>> and what means is >>> <extra_data> in rules? >>> support it Regular Expression Syntax ? >>> >>> now my rules is >>> >>> <group name="local,rsyslog,"> >>> <rule id="1050001" level="7"> >>> <decoded_as>rsyslog-pstats</decoded_as> >>> <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex> >>> <extra_data>^[1-9]+</extra_data> >>> <description>Rsyslog Failed</description> >>> </rule> >>> </group> >>> >>> look like can not work? >>> >>> >>> >>> >>> thanks&Best >>> Regards >>> >>> 发件人: root >>> 发送时间: 2013-02-28 15:33 >>> 收件人: ossec-list >>> 主题: about ossec rules Regular Expression Syntax >>> hi,all >>> >>> I got a question,that is about about ossec rules Regular Expression >>> Syntax . >>> >>> we konw,when i want match the number,i can use "\d" or "\d+" >>> >>> but now,if i has string like this >>> >>> "failed=0"=="failed=(\d+)" >>> >>> i want exclude "0", i use "failed=([1-9]+)",can not match it.. >>> >>> how can i do? >>> >>> >>> >>> >>> thanks&Best >>> Regards >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
